Yesterday evening, The Guardian broke a big story: they claimed that the secret-sharing app Whisper has been storing users’ location data against their wishes. What’s more, they said, Whisper has been handing over info on what members of the armed services have been sharing to the US Department of Defense (DoD).

So, of course, given the severity of these allegations, Whisper’s editor in chief refused to answer any questions on the topic until he’d crafted a reassuring response for the app’s users. Just kidding: he immediately started ranting and making veiled threats on Twitter, before attempting to clarify the situation.

As to the accusation of sharing data with the DoD, he says this was public-health oriented: that they counted mentions of suicide in clusters around military bases and passed those details on, but kept users anonymous.

The company’s now released a five-page response addressing each of the Guardian’s accusations. But the Guardian reports that Whisper changed its terms of service after they contacted the company for comment. Installing the app now means agreeing to have your broad location identified even if you’ve turned geo-tagging off and allows for them to share user trends (on suicide or any other issue) with institutions and research organisations. And whereas most apps comply with law enforcement when requested, it now appears that Whisper is more pro-active, snitching on users when it suspects illegal activity.

The paper says it became aware of Whisper’s practices when journalists visited their HQ in L.A to discuss a partnership. The Guardian had already published three stories based on Whisper data, quoting from some of the 2.6 million secrets shared daily, including in a Valentine’s day-themed piece. BuzzFeed already has a business partnership with the app (which they’ve now suspended for the time being) and the paper was looking into something similar.

But its reporters say that when Whisper showed them its backend (so to speak), they discovered that the app is holding onto data that users assume has been deleted, including a vast library of past secrets, many stored with location data. It also says the company is tracking users they think could be useful in future. They write that a senior executive said of a Washington insider: ‘He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watching him.’

Research has previously suggested that apps makers may be selling or sharing information without users’ permission, with free apps being especially keen to capitalise on our personal data. Last year, Privacy Rights Clearinghouse funded a study into health and fitness apps, and found that 39% of free apps and 30% of paid apps were sending information to places not disclosed in their privacy policies. 43% of free apps also shared personally identifiable information with advertisers, while only 5% of paid apps did. The majority of apps failed to encrypt user data when it was sent to the web.

For now, Whisper is still denying any wrongdoing, and the Guardian is holding firm, publishing a detailed response to Whisper’s reponse. What’s clear is that we’ll never really know everything that goes on behind closed apps, but as our earlier story on sharing info online made clear, we should probably be careful what we tell the internet, and maybe even consider occasionally talking to people IRL instead.